SOC 2 compliance is a major undertaking.
It requires a significant amount of planning and collaboration across your company. As with any other important initiative, building a solid SOC 2 project plan will keep the process running smoothly.
This outline of a typical SOC 2 project plan will help everyone at your organization understand what to expect at each phase of the process.
Get Buy-in Across Your Organization
Make a company-wide announcement on your SOC 2 compliance initiative.
Explain to everyone how becoming compliant will benefit your organization. Beyond unlocking sales and fueling growth, compliance protects your brand reputation and builds trust with customers.
Now is also a good time to set expectations.
Explain how the compliance process may affect daily operations and workflows, including processes and tools used.
Change is difficult, but people will be more open to it if they understand the causes and benefits of that change.
Form a SOC 2 Leadership Team
SOC 2 isn’t just a project for your compliance or IT departments. It requires collaboration and participation across the entire company.
Here’s a high-level overview of who will need to be involved:
- Executive sponsor: This person understands the business reasons behind why you’re working towards compliance. They can settle any conflicts that might arise when rolling out changes to tools, policies, and processes
- SOC 2 project owner: This person is responsible for overseeing the preparation and audit process. They'll track milestones to make sure they are met
- Head of Technology: This is someone who can ensure tech team adoption
- Head of Infrastructure/Security: This person can assist with driving implementation
- HR and/or Legal: This person can help design policies and ensure employee adoption
- External: This person is your SOC 2 compliance consultant and/or auditor
At smaller companies, this team is often comprised of:
- A technical lead (CTO or VP Engineering)
- A business process lead (COO or HR Manager)
- An infosec lead (Director of Security or Senior Engineer)
It’s important to set expectations on how long the process will take and what’s required from everyone involved.
In general, it’s a good idea to plan for about 6 months of preparation work before you begin the formal audit process.
Define Audit Scope
Include too much? You'll waste time and resources implementing controls for risks your company doesn’t actually face.
Include too little? You’re overlooking key vulnerabilities and setting yourself up for repeat audits.
Here are a few key questions to ask yourself while scoping your audit:
- Do you need a SOC 2 report for your entire organization or only certain services?
- Do you need a SOC 2 Type I or Type II report?
- Which Trust Services Criteria do you need to include?
- Which systems and processes support those TSC and will be assessed by the auditor?
- Which contractors can you carve out that don’t affect customer data security?
Understanding which aspects of your infrastructure will be involved will help you determine the controls you need to implement to be SOC 2 compliant.
Write Policies and Processes
You’ll need a library of policies for things like information security, access control, network security, password management, and risk assessment.
Building your policy library can be a major time investment that isn’t easily delegated. (Unless you have compliance automation software that offers a library of templated policies to choose from.)
Someone senior on your team will need to create these policies, likely with the help of HR and legal.
Implement Technical Configurations and Controls
Identify any gaps in your compliance and make a plan for resolving them. What new tools or processes will you need to implement?
Time-consuming technical tasks often require assistance from your developer and IT teams.
Plus, new tools will take time and research to select and set up.
Because this can be a lengthy process, it’s important not to get stuck here. Some companies suffer from analysis paralysis. Try not to allow more than two months to pass before putting your technical configurations into place.
Conduct a Readiness Assessment
The last thing you want to do after months of prep work is to spend thousands of dollars on a formal SOC 2 audit only to fail.
So how do you know if you’re ready to ace an audit?
It's an examination performed by an auditor to determine how ready your organization is for a successful SOC 2 audit. It will spot any gaps in your controls and help you fix them.